No-IP Domain System Users Return Online After Microsoft Takedown

The legal seizure of domains, and the resulting disruption to legitimate users, will likely define the precedent for future civil actions against companies that seemingly do not do enough to clean their networks.

After nearly a week, the last users of the dynamic domain-name system known as No-IP are back online and able to reach their servers through the service, following technical glitches resulting from Microsoft's seizure of 23 domain names belonging to company.
Microsoft seized the domains on June 30 without notifying No-IP in an attempt to dismantle cyber-criminals' use of the service to infect and steal data from more than 7.4 million Windows users, the company said. By taking over the 23 domains, Microsoft aimed to filter out malicious traffic and allow legitimate users to access their systems through the dynamics DNS service. Instead, a technical glitch on Microsoft's part resulted in millions of users being disconnected from their systems, according to No-IP.
Microsoft worked to reconnect legitimate users, while No-IP argued in Nevada district court to get the domains returned. In the end, both succeeded: All users should have been able to access their systems and accounts on July 4, No-IP said on July 3.
"We would like to give you an update and announce that ALL of the 23 domains that were seized by Microsoft on June 30 are now back in our control," the firm stated in a blog post. "Please realize that it may take up to 24 hours for the DNS to fully propagate, but everything should be fully functioning within the next day."

The seizure of the domains represented Microsoft's 10th botnet takedown using a combination of civil and technical actions. Microsoft aimed to disrupt a variety of botnets based on two programs, njRAT and njw0rm, which it refers to Bladabindi and Jenxcus, respectively. Of the domains used by the botnets, 93 percent were hosted on No-IP, according to Microsoft. While some past actions caused conflict with security researchers and small technical problems, the latest takedown caused widespread problems among the legitimate users of No-IP.

Microsoft apologized for the outage, but only issued a prepared comment, citing pending litigation. No-IP did not respond to emailed requests for comment.
"Due to a technical error, some customers whose devices were not infected by the malware experienced a temporary loss of service," David Finn, executive director and associate general counsel for Microsoft's Digital Crimes Unit, said in a statement sent to eWEEK.
Both companies continue to argue the case in the federal district court in Nevada, according to court filings.
Dynamic DNS providers allow users to connect a domain name with an ever-changing Internet address. Many bot masters use a similar technique, known as fast fluxing, to accomplish this, pointing their domain name cycle through a limited pool of Internet addresses.
Dynamic DNS is a legitimate form of this, typically used by home users and small businesses to associate a domain name with a dynamic Internet address. Legitimate users, for example, can access file, email and virtual private network (VPN) servers on their home network through a dynamic DNS configuration using just a typical third-level domain name.
No-IP is the most used dynamic DNS provider for cyber-criminals' third-level domains, but it also happens to be the most popular provider for legitimate usage, according to an analysis by security firm OpenDNS. On average, only 4 percent of dynamic DNS domains are malicious, according to the OpenDNS analysis.
Other metrics bear out that dynamic DNS is a haven for malicious traffic. Cisco found that 20 percent of dynamic DNS requests were considered malicious and were blocked, compared to only 1 percent of all Web traffic. And a tag cloud of the worst offenders highlights three major malicious domains, all owned by No-IP.